Access control policy - Identity as a Service - Alibaba Cloud Documentation Center

This topic describes the conditional access feature and how to configure and use the feature.

Overview

Conditional access is the process of evaluating the access context and finally formulating an access decision. You can use the conditional access feature to implement access control based on different scenarios. For example, you can configure two-factor authentication based on application types.

You can use the default access control policy free of charge. If you want to use custom access control policies, you must purchase an Enterprise Edition instance of Identity as a Service (IDaaS) Employee Identity Access Management (EIAM) 2.0 and purchase the conditional access feature for the instance. For more information, see Conditional access billing.

Terms

Term	Description
custom access control policy	A custom access control policy allows you to configure custom conditions, such as the visitors, accessible objects, and limits. You must separately purchase the conditional access feature before you can use custom access control policies.
default access control policy	The default access control policy is the system policy that is provided by an IDaaS EIAM instance. You can modify the default access control policy based on the configurations of two-factor authentication. For more information, see Two-factor authentication. You cannot configure custom conditions for the default access control policy.
access condition	Access conditions include accessible objects, visitors, and limits. An access control policy is hit only if the access context meets all conditions of the access control policy. Otherwise, the system automatically uses a low-priority policy for conditional evaluation.
access decision	An access decision is enforced only if all conditions are met. An access decision can be allowing access, denying access, or implementing two-factor authentication.

Create a custom access control policy

Log on to the IDaaS console. On the EIAM page, click the IDaaS EIAM instance that you want to manage. In the left-side navigation pane, click Sign-In. On the Policy tab of the Sign-In page, click Add Policy. You can create up to 10 custom access control policies.

Step 1: Enter basic information

Policy Name: Enter the name of the access control policy. The name is displayed only in the IDaaS console.
Priority: Specify the priority of the access control policy. Only one access control policy is hit for each access. You can specify the priority of policies to implement flexible access control. Valid values: 1 to 100. A smaller value indicates a higher priority.

Step 2: Specify an accessible object

An accessible object refers to a protected application. You can set the Application Range parameter to All Applications or Specific Application.

All Applications: When you access any application, this condition is met.
Specific Application: This condition is met only if you access a specific application. If you select Specific Application, you can select IDaaS Application Portal or applications that are created in the IDaaS EIAM instance for the Select Application parameter.

Step 3: Specify a visitor

A visitor refers to the account that initiates an access request. You can set the Visitor Range parameter to All Accounts, All Groups, or Specific Account.

All Accounts: All accounts meet this condition.
All Groups: If the account is the name of a group, this condition is met.
Specific Account: A specific account meets this condition. You can directly select an account or select an account by configuring a group or an organization.

In addition, you can use the Exclude Visitors feature to specify that the excluded accounts do not meet the condition. This way, the access control policy is not hit.

Step 4: Specify limits

You can specify a network scope as the limit of an access control policy. To configure a network scope, use the network access feature that allows you to dynamically adjust IP addresses without the need to modify other configurations. For more information, see Network scope. You can set the Client CIDR Block parameter to All IP Addresses or Specific CIDR Block.

All IP Addresses: This condition is met regardless of the network scope of a visitor.
Specific CIDR block: This condition is met only if a visitor uses a CIDR block or IP address specified in the network scope.

Step 5: Specify an access decision

When an access request meets all conditions of an access control policy, the access control policy is hit, and IDaaS enforces the access decision specified in the access control policy. The following list describes the access decisions:

Allow Access: If an access control policy is hit, the access request is allowed. If you select Allow Access, you can configure more parameters to improve the security or convenience of access.
- Select Two-factor Authentication Mode: specifies whether to implement two-factor authentication.
  - Do Not Require Two-factor Authentication: Two-factor authentication is not required for the account, and the account can directly access an application.
  - Custom Two-factor Authentication: Two-factor authentication is required for the account, and the account must pass two-factor authentication by using the method that you specify. For example, you can specify a strict two-factor authentication method for highly sensitive applications.
- Select Two-factor Authentication Method: Select one or more two-factor authentication methods for the account. Then, the account must pass two-factor authentication by using one of the methods.
- MFA Automatic Pass: If the logon session of the account begins and meets the conditions in the access control policy, two-factor authentication is not required. For example, Applications A and B have the same access control policy, which requires an SMS verification code for two-factor authentication. After the account accesses Application A, two-factor authentication is no longer required when the account accesses Application B.
- Validity Period of MFA Automatic Pass: During the validity period that you specify, two-factor authentication is not required. This helps ensure access security.
Deny Access: If an access control policy is hit, the access request is denied.

Important

If you select Deny Access and the access control policy is hit, the account cannot access the required application. If the Access Policy parameter is set to Deny Access for the IDaaS application portal, the user cannot log on to the portal. Proceed with caution.

Note

The access control policy takes effect 3 minutes after it is created or modified.

Step 6: Enable a custom access control policy

To ensure normal user access, a custom access control policy is automatically disabled after creation. If you want to use the custom access control policy, manually enable it.

Delete a custom access control policy

You can manually delete a custom access control policy. You must disable the custom access control policy before you delete it. To ensure normal user access, after you disable the custom access control policy, we recommend that you monitor user access. If no exceptions occur, you can delete the custom access control policy. You cannot restore a deleted custom access control policy.

Default access control policy

The default access control policy has the lowest priority and permanently takes effect for all accounts and applications. The scope and limits of the default access control policy cannot be adjusted. You can enable or disable two-factor authentication or change the two-factor authentication methods on the Two-Factor Authentication page. For more information, see Two-factor authentication.

Scenarios and usage

Scenario	Access control policy	Policy settings	Description
IDaaS or an application can be accessed only by using an office IP address.	Policy 1	Priority: 1 Application Range: All Applications Visitor Range: All Accounts Client CIDR Block: your office CIDR block Access Policy: Allow Access	Higher priority. When all conditions are met, the access request is allowed.
	Policy 2	Priority: 2 Application Range: All Applications Visitor Range: All Accounts Client CIDR Block: All IP Addresses Access Policy: Deny Access	Lower priority. If Policy 1 is not hit, the access request is denied.
A specific application requires WebAuthn logon for two-factor authentication. For more information, see WebAuthn logon.	Policy 3	Priority: 1 Application Range: Specific Application Visitor Range: All Accounts Client CIDR Block: All IP Addresses Access Policy: Allow Access Select Two-factor Authentication Mode: Select Custom Two-factor Authentication for this parameter. Then, select WebAuthn. MFA Automatic Pass: Select or clear this option based on your business requirements.	When you access a specific application, you must use WebAuthn for two-factor authentication. WebAuthn supports authentication methods such as native fingerprint and facial recognition.
Two-factor authentication is required for each access request of highly sensitive applications.	Policy 4	Priority: 1 Application Range: Specific Application Visitor Range: All Accounts Client CIDR Block: All IP Addresses Access Policy: Allow Access Select Two-factor Authentication Mode: Select Custom Two-factor Authentication for this parameter. MFA Automatic Pass: Clear this option.	Two-factor authentication is required for each single sign-on (SSO) operation of an application.
Accounts in Group A and Group B have different access requirements.	Policy 5	Priority: 1 Application Range: All Applications Visitor Scope: Group A Client CIDR Block: All IP Addresses Access Policy: Allow Access	Access control policy for Group A
	Policy 6	Priority: 1 Application Range: All Applications Visitor Scope: Group B Client CIDR Block: All IP Addresses Access Policy: Allow Access Select Two-factor Authentication Mode: Select Custom Two-factor Authentication for this parameter.	Access control policy for Group B